Hi All! Thanks to all of you that responded to my previous posts. I've gotten a lot more info now than I used to have! But I still have questions. The biggest right now is: Is there a way build up a Samba PDC as a direct replacement for an existing Windows NT 4.0 PDC? All the material I've found to date is written from a standpoint of creating a new domain as you create the Samba machine. This maybe what I have to do in the end, but I would like to avoid it if possible. If there is a way, can someone point me to the right place for the HOWTO/Documentation? As of right now, I'm not looking for an LDAP solution, but if that's what it takes, then that's where I'll go. For what it's worth, the setup will be on Red Hat's "ES" Server (with I think is RH 7.3 based) and Samba 2.2.8. Why do I need this? Because I have an existing Exchange Server with a 4GB Information Store that I would have to rebuild as well - not a pretty picture. If I can build the Samba PDC as a replacement for the existing PDC, that's would what I'd like to do. Thanks, Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. (859) 233-3111 x24
Hi Kevin, I found a huge wealth of good info in the following articles: The new Samba-HOWTO-Collection at: http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.pdf "The Unofficial Samba HowTo" by David Lechnyr (has a PDC section that's very helpful) http://hr.uoregon.edu/davidrl/samba/samba-intro.html "Building a Primary Domain Controller with Samba" by Carla Schroder (filled in some gaps) http://networking.earthweb.com/article.php/10492_1570651_2 and http://networking.earthweb.com/netos/article.php/1151091 My best, Dan Gapinski ----- Original Message ----- From: "Collins, Kevin" <KCollins@nesbittengineering.com> To: <samba@lists.samba.org> Sent: Wednesday, May 07, 2003 3:33 PM Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC> Hi All! > > Thanks to all of you that responded to my previous posts. I've gotten alot> more info now than I used to have! > > But I still have questions. The biggest right now is: Is there a waybuild> up a Samba PDC as a direct replacement for an existing Windows NT 4.0 PDC? > > All the material I've found to date is written from a standpoint ofcreating> a new domain as you create the Samba machine. This maybe what I have todo> in the end, but I would like to avoid it if possible. > > If there is a way, can someone point me to the right place for the > HOWTO/Documentation? As of right now, I'm not looking for an LDAPsolution,> but if that's what it takes, then that's where I'll go. For what it's > worth, the setup will be on Red Hat's "ES" Server (with I think is RH 7.3 > based) and Samba 2.2.8. > > Why do I need this? Because I have an existing Exchange Server with a 4GB > Information Store that I would have to rebuild as well - not a pretty > picture. If I can build the Samba PDC as a replacement for the existing > PDC, that's would what I'd like to do. > > > Thanks, > > Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > (859) 233-3111 x24 > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
BTW, were you looking for a drop-in replacement for your current PDC? That might require some doing. Like making it slave as a BDC before promoting it to a PDC, and I have not tried that, & don't know if its possible. The docs might though. Dan ----- Original Message ----- From: "Collins, Kevin" <KCollins@nesbittengineering.com> To: <samba@lists.samba.org> Sent: Wednesday, May 07, 2003 3:33 PM Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC> Hi All! > > Thanks to all of you that responded to my previous posts. I've gotten alot> more info now than I used to have! > > But I still have questions. The biggest right now is: Is there a waybuild> up a Samba PDC as a direct replacement for an existing Windows NT 4.0 PDC? > > All the material I've found to date is written from a standpoint ofcreating> a new domain as you create the Samba machine. This maybe what I have todo> in the end, but I would like to avoid it if possible. > > If there is a way, can someone point me to the right place for the > HOWTO/Documentation? As of right now, I'm not looking for an LDAPsolution,> but if that's what it takes, then that's where I'll go. For what it's > worth, the setup will be on Red Hat's "ES" Server (with I think is RH 7.3 > based) and Samba 2.2.8. > > Why do I need this? Because I have an existing Exchange Server with a 4GB > Information Store that I would have to rebuild as well - not a pretty > picture. If I can build the Samba PDC as a replacement for the existing > PDC, that's would what I'd like to do. > > > Thanks, > > Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > (859) 233-3111 x24 > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
I am in the midst of something very similar...because of the passwords, I believe you need to have the users re-assign (or you) thier passwords. User informaiton is easily transferable. I went the LDAP route because, it mimics a PDC/BDC relationship extremely well. I currently have two remote servers syncing their account informaiton with the main (PDC) .. it works great. So, to answer your question, you can import user information in either the typical linux passwd/group way or go with a much more robust LDAP solution..but either way, you need to incorporate a mechanism for users to change thier passwords (initially just set them to some default)..I chose a web-based solution for password changes since no user logs into the linux box, and no user is smart enough to get it right via win98> -----Original Message----- > From: Collins, Kevin [mailto:KCollins@nesbittengineering.com] > Sent: Wednesday, May 07, 2003 3:33 PM > To: 'samba@lists.samba.org' > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > Hi All! > > Thanks to all of you that responded to my previous posts. > I've gotten a lot > more info now than I used to have! > > But I still have questions. The biggest right now is: Is > there a way build > up a Samba PDC as a direct replacement for an existing > Windows NT 4.0 PDC? > > All the material I've found to date is written from a > standpoint of creating > a new domain as you create the Samba machine. This maybe > what I have to do > in the end, but I would like to avoid it if possible. > > If there is a way, can someone point me to the right place for the > HOWTO/Documentation? As of right now, I'm not looking for an > LDAP solution, > but if that's what it takes, then that's where I'll go. For what it's > worth, the setup will be on Red Hat's "ES" Server (with I > think is RH 7.3 > based) and Samba 2.2.8. > > Why do I need this? Because I have an existing Exchange > Server with a 4GB > Information Store that I would have to rebuild as well - not a pretty > picture. If I can build the Samba PDC as a replacement for > the existing > PDC, that's would what I'd like to do. > > > Thanks, > > Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > (859) 233-3111 x24 > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
bit baffeld as to your statement about: Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC maybe we are just on a different page, but with winbind, arent you able to grab the user database from a remote NT4 PDC?? and then authenticate off that? which would then be a BDC (for authentication puposes at least) please correct me where I am wrong, or where there may be miscommunication> -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: Wednesday, May 07, 2003 4:22 PM > To: David Chait > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > On Wed, 7 May 2003, David Chait wrote: > > > Samba cannot act as a BDC, at least it couldn't last I checked. > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and > Samba-3.0.0 > can not act as a BDC to an NT4 PDC. > > Samba-3.0.0 will offer a facility to migrate all accounts off an NT4 > Domain to a Samba Domain. You CAN with Samba-3.0.0 > transparently replace > your PDC without having to reconfigure all workstations. > Samba-3.0.0 is > nearing going into Beta (and out of Alpha) soon. We are > working hard to > document this release VERY thouroughly. > > - John T. > > > > > ----- Original Message ----- > > From: "Dan Gapinski" <DanGapinski@qsi-r2.com> > > To: "Collins, Kevin" <KCollins@nesbittengineering.com>; > > <samba@lists.samba.org> > > Sent: Wednesday, May 07, 2003 2:00 PM > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > BTW, > > > > > > were you looking for a drop-in replacement for your > current PDC? That > > might > > > require some doing. Like making it slave as a BDC before > promoting it to a > > > PDC, and I have not tried that, & don't know if its > possible. The docs > > might > > > though. > > > > > > Dan > > > > > > ----- Original Message ----- > > > From: "Collins, Kevin" <KCollins@nesbittengineering.com> > > > To: <samba@lists.samba.org> > > > Sent: Wednesday, May 07, 2003 3:33 PM > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > Hi All! > > > > > > > > Thanks to all of you that responded to my previous > posts. I've gotten a > > > lot > > > > more info now than I used to have! > > > > > > > > But I still have questions. The biggest right now is: > Is there a way > > > build > > > > up a Samba PDC as a direct replacement for an existing > Windows NT 4.0 > > PDC? > > > > > > > > All the material I've found to date is written from a > standpoint of > > > creating > > > > a new domain as you create the Samba machine. This > maybe what I have to > > > do > > > > in the end, but I would like to avoid it if possible. > > > > > > > > If there is a way, can someone point me to the right > place for the > > > > HOWTO/Documentation? As of right now, I'm not looking > for an LDAP > > > solution, > > > > but if that's what it takes, then that's where I'll go. > For what it's > > > > worth, the setup will be on Red Hat's "ES" Server (with > I think is RH > > 7.3 > > > > based) and Samba 2.2.8. > > > > > > > > Why do I need this? Because I have an existing > Exchange Server with a > > 4GB > > > > Information Store that I would have to rebuild as well > - not a pretty > > > > picture. If I can build the Samba PDC as a replacement > for the existing > > > > PDC, that's would what I'd like to do. > > > > > > > > > > > > Thanks, > > > > > > > > Kevin L. Collins, MCSE > > > > Systems Manager > > > > Nesbitt Engineering, Inc. > > > > > > > > (859) 233-3111 x24 > > > > -- > > > > To unsubscribe from this list go to the following URL > and read the > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > -- > John H Terpstra > Email: jht@samba.org > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Hey John..thanks for that..I think many of us (probably wrongfully) term BDC as authentication, and then just leave it at that...which samba, as you stated, does do. I guess the way I look at it is, if you have a NT PDC, then you probably have at least one other NT BDC...the SAMBA machine is used for a remote site and authenticating.. If the PDC poo-poo's out, you have that other BDC which you can promote. I couldn't imagine having a NT PDC with a bunch of samba machines authenticating, because then, why not just take the plunge fully and go a full samba controlled backend? So, as you said..it doesnt do all the bells and whistles that define an NT BDC...but it does do the important part and lets you logon! ;)> -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: Wednesday, May 07, 2003 8:46 PM > To: tech mail > Cc: David Chait; samba@lists.samba.org; Dan Gapinski; Collins, Kevin > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > On Wed, 7 May 2003, tech mail wrote: > > > bit baffeld as to your statement about: > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC > > > > maybe we are just on a different page, but with winbind, > arent you able to > > grab the user database from a remote NT4 PDC?? and then > authenticate off > > that? which would then be a BDC (for authentication > puposes at least) > > Aparently we are on a different page! > > You really will need to read the new Samba-HOWTO-Collection > some time (not > released yet). This document is a work in progress. > > > please correct me where I am wrong, or where there may be > miscommunication > > Wrong. Winbind does not do SAM replication! If it does then > point me to > the code that makes that happen. :) > > Full BDC functionality requires that the BDC will NOT ONLY > authenticate > domain logons, but also that it will partake fully in > replication of the > MS Windows NT4 domain security files (these are the files > located on NT4 > in C:\WinNT\System32\config), the files that partake in > Domain Security > are SAM and Security. Trust me, Samba does NOT have a Windows > NT4 style > Registry, even though Samba-3 does emulate some parts of it. > > But replication of all this data and the protocols needed to make that > happen is NOT supported in Samba. This means Samba also does > NOT have the > protocols that trigger Domain Security account synchronisation. > > One more feature that the BDC/PDC code functionality premits > is for BDCs > to be promoted to PDCs which will cause a PDC to be demoted > to BDC. Again, > Samba does NOT support this functionality. > > In effect therefore we can not and must not claim that Samba > CAN be a BDC > to an NT4 PDC. That type of claim will cause trouble and disenchanted > users. > > What should be noted though, is that Samba can do distributed > authentication. There are a number of ways that can be done. > Winbind is > just one of them. But with winbind, if the PDC goes down, > your BDC is out > of operation (if that is what you are dependant on in your > "BDC" design). > > I hope my answer is totally clear now. More so, I hope this > brings us all > onto the one page again. :) > > Cheers, > John T. > > > > > > -----Original Message----- > > > From: John H Terpstra [mailto:jht@samba.org] > > > Sent: Wednesday, May 07, 2003 4:22 PM > > > To: David Chait > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > On Wed, 7 May 2003, David Chait wrote: > > > > > > > Samba cannot act as a BDC, at least it couldn't last I checked. > > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and > > > Samba-3.0.0 > > > can not act as a BDC to an NT4 PDC. > > > > > > Samba-3.0.0 will offer a facility to migrate all accounts > off an NT4 > > > Domain to a Samba Domain. You CAN with Samba-3.0.0 > > > transparently replace > > > your PDC without having to reconfigure all workstations. > > > Samba-3.0.0 is > > > nearing going into Beta (and out of Alpha) soon. We are > > > working hard to > > > document this release VERY thouroughly. > > > > > > - John T. > > > > > > > > > > > ----- Original Message ----- > > > > From: "Dan Gapinski" <DanGapinski@qsi-r2.com> > > > > To: "Collins, Kevin" <KCollins@nesbittengineering.com>; > > > > <samba@lists.samba.org> > > > > Sent: Wednesday, May 07, 2003 2:00 PM > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > BTW, > > > > > > > > > > were you looking for a drop-in replacement for your > > > current PDC? That > > > > might > > > > > require some doing. Like making it slave as a BDC before > > > promoting it to a > > > > > PDC, and I have not tried that, & don't know if its > > > possible. The docs > > > > might > > > > > though. > > > > > > > > > > Dan > > > > > > > > > > ----- Original Message ----- > > > > > From: "Collins, Kevin" <KCollins@nesbittengineering.com> > > > > > To: <samba@lists.samba.org> > > > > > Sent: Wednesday, May 07, 2003 3:33 PM > > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > Hi All! > > > > > > > > > > > > Thanks to all of you that responded to my previous > > > posts. I've gotten a > > > > > lot > > > > > > more info now than I used to have! > > > > > > > > > > > > But I still have questions. The biggest right now is: > > > Is there a way > > > > > build > > > > > > up a Samba PDC as a direct replacement for an existing > > > Windows NT 4.0 > > > > PDC? > > > > > > > > > > > > All the material I've found to date is written from a > > > standpoint of > > > > > creating > > > > > > a new domain as you create the Samba machine. This > > > maybe what I have to > > > > > do > > > > > > in the end, but I would like to avoid it if possible. > > > > > > > > > > > > If there is a way, can someone point me to the right > > > place for the > > > > > > HOWTO/Documentation? As of right now, I'm not looking > > > for an LDAP > > > > > solution, > > > > > > but if that's what it takes, then that's where I'll go. > > > For what it's > > > > > > worth, the setup will be on Red Hat's "ES" Server (with > > > I think is RH > > > > 7.3 > > > > > > based) and Samba 2.2.8. > > > > > > > > > > > > Why do I need this? Because I have an existing > > > Exchange Server with a > > > > 4GB > > > > > > Information Store that I would have to rebuild as well > > > - not a pretty > > > > > > picture. If I can build the Samba PDC as a replacement > > > for the existing > > > > > > PDC, that's would what I'd like to do. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Kevin L. Collins, MCSE > > > > > > Systems Manager > > > > > > Nesbitt Engineering, Inc. > > > > > > > > > > > > (859) 233-3111 x24 > > > > > > -- > > > > > > To unsubscribe from this list go to the following URL > > > and read the > > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > -- > > > > > To unsubscribe from this list go to the following URL > and read the > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > -- > > > John H Terpstra > > > Email: jht@samba.org > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > -- > John H Terpstra > Email: jht@samba.org >
The lord have cometh!> -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: Wednesday, May 07, 2003 9:19 PM > To: tech mail > Cc: David Chait; samba@lists.samba.org; Dan Gapinski; Collins, Kevin > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > On Wed, 7 May 2003, tech mail wrote: > > > Hey John..thanks for that..I think many of us (probably > wrongfully) term BDC > > as authentication, and then just leave it at that...which > samba, as you > > stated, does do. > > Samba-3 does MUCH more than that - it allows you to build an NT4 style > domain controller that has the robustness and scalability of Active > Directory. But the design implementation will be VERY > different from the > way that ADS does it. > > I firmly believe that we have an alternative solution that > for some people > (many) will be a better solution than ADS. It has it's own > unique features > and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To > say otherwise > will earn us a scorn we will deserve. > > We need to get the message out that Samba offers and > alternative that may > be better, may be no better, and may not suit every site. But > for those it > does suit it is a sweet and dandy solution. > > - John T. > > > > > I guess the way I look at it is, if you have a NT PDC, then > you probably > > have at least one other NT BDC...the SAMBA machine is used > for a remote site > > and authenticating.. > > > > If the PDC poo-poo's out, you have that other BDC which you > can promote. I > > couldn't imagine having a NT PDC with a bunch of samba machines > > authenticating, because then, why not just take the plunge > fully and go a > > full samba controlled backend? > > > > So, as you said..it doesnt do all the bells and whistles > that define an NT > > BDC...but it does do the important part and lets you logon! > > > > ;) > > > > > -----Original Message----- > > > From: John H Terpstra [mailto:jht@samba.org] > > > Sent: Wednesday, May 07, 2003 8:46 PM > > > To: tech mail > > > Cc: David Chait; samba@lists.samba.org; Dan Gapinski; > Collins, Kevin > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > > > bit baffeld as to your statement about: > > > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC > > > > > > > > maybe we are just on a different page, but with winbind, > > > arent you able to > > > > grab the user database from a remote NT4 PDC?? and then > > > authenticate off > > > > that? which would then be a BDC (for authentication > > > puposes at least) > > > > > > Aparently we are on a different page! > > > > > > You really will need to read the new Samba-HOWTO-Collection > > > some time (not > > > released yet). This document is a work in progress. > > > > > > > please correct me where I am wrong, or where there may be > > > miscommunication > > > > > > Wrong. Winbind does not do SAM replication! If it does then > > > point me to > > > the code that makes that happen. :) > > > > > > Full BDC functionality requires that the BDC will NOT ONLY > > > authenticate > > > domain logons, but also that it will partake fully in > > > replication of the > > > MS Windows NT4 domain security files (these are the files > > > located on NT4 > > > in C:\WinNT\System32\config), the files that partake in > > > Domain Security > > > are SAM and Security. Trust me, Samba does NOT have a Windows > > > NT4 style > > > Registry, even though Samba-3 does emulate some parts of it. > > > > > > But replication of all this data and the protocols needed > to make that > > > happen is NOT supported in Samba. This means Samba also does > > > NOT have the > > > protocols that trigger Domain Security account synchronisation. > > > > > > One more feature that the BDC/PDC code functionality premits > > > is for BDCs > > > to be promoted to PDCs which will cause a PDC to be demoted > > > to BDC. Again, > > > Samba does NOT support this functionality. > > > > > > In effect therefore we can not and must not claim that Samba > > > CAN be a BDC > > > to an NT4 PDC. That type of claim will cause trouble and > disenchanted > > > users. > > > > > > What should be noted though, is that Samba can do distributed > > > authentication. There are a number of ways that can be done. > > > Winbind is > > > just one of them. But with winbind, if the PDC goes down, > > > your BDC is out > > > of operation (if that is what you are dependant on in your > > > "BDC" design). > > > > > > I hope my answer is totally clear now. More so, I hope this > > > brings us all > > > onto the one page again. :) > > > > > > Cheers, > > > John T. > > > > > > > > > > > > -----Original Message----- > > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > > Sent: Wednesday, May 07, 2003 4:22 PM > > > > > To: David Chait > > > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > On Wed, 7 May 2003, David Chait wrote: > > > > > > > > > > > Samba cannot act as a BDC, at least it couldn't > last I checked. > > > > > > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and > > > > > Samba-3.0.0 > > > > > can not act as a BDC to an NT4 PDC. > > > > > > > > > > Samba-3.0.0 will offer a facility to migrate all accounts > > > off an NT4 > > > > > Domain to a Samba Domain. You CAN with Samba-3.0.0 > > > > > transparently replace > > > > > your PDC without having to reconfigure all workstations. > > > > > Samba-3.0.0 is > > > > > nearing going into Beta (and out of Alpha) soon. We are > > > > > working hard to > > > > > document this release VERY thouroughly. > > > > > > > > > > - John T. > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Dan Gapinski" <DanGapinski@qsi-r2.com> > > > > > > To: "Collins, Kevin" <KCollins@nesbittengineering.com>; > > > > > > <samba@lists.samba.org> > > > > > > Sent: Wednesday, May 07, 2003 2:00 PM > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > BTW, > > > > > > > > > > > > > > were you looking for a drop-in replacement for your > > > > > current PDC? That > > > > > > might > > > > > > > require some doing. Like making it slave as a BDC before > > > > > promoting it to a > > > > > > > PDC, and I have not tried that, & don't know if its > > > > > possible. The docs > > > > > > might > > > > > > > though. > > > > > > > > > > > > > > Dan > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Collins, Kevin" <KCollins@nesbittengineering.com> > > > > > > > To: <samba@lists.samba.org> > > > > > > > Sent: Wednesday, May 07, 2003 3:33 PM > > > > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > > > > Hi All! > > > > > > > > > > > > > > > > Thanks to all of you that responded to my previous > > > > > posts. I've gotten a > > > > > > > lot > > > > > > > > more info now than I used to have! > > > > > > > > > > > > > > > > But I still have questions. The biggest right now is: > > > > > Is there a way > > > > > > > build > > > > > > > > up a Samba PDC as a direct replacement for an existing > > > > > Windows NT 4.0 > > > > > > PDC? > > > > > > > > > > > > > > > > All the material I've found to date is written from a > > > > > standpoint of > > > > > > > creating > > > > > > > > a new domain as you create the Samba machine. This > > > > > maybe what I have to > > > > > > > do > > > > > > > > in the end, but I would like to avoid it if possible. > > > > > > > > > > > > > > > > If there is a way, can someone point me to the right > > > > > place for the > > > > > > > > HOWTO/Documentation? As of right now, I'm not looking > > > > > for an LDAP > > > > > > > solution, > > > > > > > > but if that's what it takes, then that's where I'll go. > > > > > For what it's > > > > > > > > worth, the setup will be on Red Hat's "ES" Server (with > > > > > I think is RH > > > > > > 7.3 > > > > > > > > based) and Samba 2.2.8. > > > > > > > > > > > > > > > > Why do I need this? Because I have an existing > > > > > Exchange Server with a > > > > > > 4GB > > > > > > > > Information Store that I would have to rebuild as well > > > > > - not a pretty > > > > > > > > picture. If I can build the Samba PDC as a replacement > > > > > for the existing > > > > > > > > PDC, that's would what I'd like to do. > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > Kevin L. Collins, MCSE > > > > > > > > Systems Manager > > > > > > > > Nesbitt Engineering, Inc. > > > > > > > > > > > > > > > > (859) 233-3111 x24 > > > > > > > > -- > > > > > > > > To unsubscribe from this list go to the following URL > > > > > and read the > > > > > > > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > To unsubscribe from this list go to the following URL > > > and read the > > > > > > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > John H Terpstra > > > > > Email: jht@samba.org > > > > > -- > > > > > To unsubscribe from this list go to the following URL > and read the > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > -- > > > John H Terpstra > > > Email: jht@samba.org > > > > > > > -- > John H Terpstra > Email: jht@samba.org >
OK, just so were all on the same page.... :) As it stands right now, using Samba 2.2.x I can not do a "drop-in" replacement for my WinNT PDC, I need to build a new domain with the Samba PDC at the core. As I don't have the time to wait on Samba 3.x, I must move on knowing the limitations and requirements of doing so. I understand the problem with Exchange 2000 requiring Active Directory. I have no intention of moving to Exchange 2000, so that's a non issue. I'm *seriously* looking for an open source solution to completely replace Exchange anyway. But that's another fish for another day. My current domain design has three independent domains with established two-ways trusts. I understand that Samba 2.2.x doesn't do trusts either, so while I'm designing the new Samba domain, I'm probably going to be building *one* domain with at least two BDCs to replace the PDCs in the other domains I have now. Because this is a three-site setup that is connected by 128k Frame-Relay lines to form the WAN (hence the three NT domains), I probably need the robustness of an LDAP backend. This (I think) will allow me to create "replicated" copies of the LDAP database in each of the three sites (on the Samba BDCs), so that they each can function independently of each other if the WAN goes down. It also should allow me to keep authentication traffic isolated to each site as well. Because I'm maintaining an NT style setup with Samba 2.2.x, I should be able to have my existing Exchange 5.5 server authenticate against the Samba PDC/BDCs. I haven't tested this, but from David Chait's comments I'm assuming this is the case. I was planning on building a Samba PDC in my lab today to test this, but if anyone can give me a definite answer.... Do those with greater Samba experience than I agree with the statements above? BTW John T.: I appreciate the offer to call you if I need help. Before it's all over, I'm certain I'll do just that! Does 3:00 am on Saturday work for you? :-) Again thanks to all, I'm off to do more reading...now where is that LDAP HOWTO? -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc.> -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: Wednesday, May 07, 2003 10:19 PM > To: tech mail > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > On Wed, 7 May 2003, tech mail wrote: > > > Hey John..thanks for that..I think many of us (probably > wrongfully) term BDC > > as authentication, and then just leave it at that...which > samba, as you > > stated, does do. > > Samba-3 does MUCH more than that - it allows you to build an NT4 style > domain controller that has the robustness and scalability of Active > Directory. But the design implementation will be VERY > different from the > way that ADS does it. > > I firmly believe that we have an alternative solution that > for some people > (many) will be a better solution than ADS. It has it's own > unique features > and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To > say otherwise > will earn us a scorn we will deserve. > > We need to get the message out that Samba offers and > alternative that may > be better, may be no better, and may not suit every site. But > for those it > does suit it is a sweet and dandy solution. > > - John T. > > > > > I guess the way I look at it is, if you have a NT PDC, then > you probably > > have at least one other NT BDC...the SAMBA machine is used > for a remote site > > and authenticating.. > > > > If the PDC poo-poo's out, you have that other BDC which you > can promote. I > > couldn't imagine having a NT PDC with a bunch of samba machines > > authenticating, because then, why not just take the plunge > fully and go a > > full samba controlled backend? > > > > So, as you said..it doesnt do all the bells and whistles > that define an NT > > BDC...but it does do the important part and lets you logon! > > > > ;) > > > > > -----Original Message----- > > > From: John H Terpstra [mailto:jht@samba.org] > > > Sent: Wednesday, May 07, 2003 8:46 PM > > > To: tech mail > > > Cc: David Chait; samba@lists.samba.org; Dan Gapinski; > Collins, Kevin > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > > > bit baffeld as to your statement about: > > > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC > > > > > > > > maybe we are just on a different page, but with winbind, > > > arent you able to > > > > grab the user database from a remote NT4 PDC?? and then > > > authenticate off > > > > that? which would then be a BDC (for authentication > > > puposes at least) > > > > > > Aparently we are on a different page! > > > > > > You really will need to read the new Samba-HOWTO-Collection > > > some time (not > > > released yet). This document is a work in progress. > > > > > > > please correct me where I am wrong, or where there may be > > > miscommunication > > > > > > Wrong. Winbind does not do SAM replication! If it does then > > > point me to > > > the code that makes that happen. :) > > > > > > Full BDC functionality requires that the BDC will NOT ONLY > > > authenticate > > > domain logons, but also that it will partake fully in > > > replication of the > > > MS Windows NT4 domain security files (these are the files > > > located on NT4 > > > in C:\WinNT\System32\config), the files that partake in > > > Domain Security > > > are SAM and Security. Trust me, Samba does NOT have a Windows > > > NT4 style > > > Registry, even though Samba-3 does emulate some parts of it. > > > > > > But replication of all this data and the protocols needed > to make that > > > happen is NOT supported in Samba. This means Samba also does > > > NOT have the > > > protocols that trigger Domain Security account synchronisation. > > > > > > One more feature that the BDC/PDC code functionality premits > > > is for BDCs > > > to be promoted to PDCs which will cause a PDC to be demoted > > > to BDC. Again, > > > Samba does NOT support this functionality. > > > > > > In effect therefore we can not and must not claim that Samba > > > CAN be a BDC > > > to an NT4 PDC. That type of claim will cause trouble and > disenchanted > > > users. > > > > > > What should be noted though, is that Samba can do distributed > > > authentication. There are a number of ways that can be done. > > > Winbind is > > > just one of them. But with winbind, if the PDC goes down, > > > your BDC is out > > > of operation (if that is what you are dependant on in your > > > "BDC" design). > > > > > > I hope my answer is totally clear now. More so, I hope this > > > brings us all > > > onto the one page again. :) > > > > > > Cheers, > > > John T. > > > > > > > > > > > > -----Original Message----- > > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > > Sent: Wednesday, May 07, 2003 4:22 PM > > > > > To: David Chait > > > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > On Wed, 7 May 2003, David Chait wrote: > > > > > > > > > > > Samba cannot act as a BDC, at least it couldn't > last I checked. > > > > > > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and > > > > > Samba-3.0.0 > > > > > can not act as a BDC to an NT4 PDC. > > > > > > > > > > Samba-3.0.0 will offer a facility to migrate all accounts > > > off an NT4 > > > > > Domain to a Samba Domain. You CAN with Samba-3.0.0 > > > > > transparently replace > > > > > your PDC without having to reconfigure all workstations. > > > > > Samba-3.0.0 is > > > > > nearing going into Beta (and out of Alpha) soon. We are > > > > > working hard to > > > > > document this release VERY thouroughly. > > > > > > > > > > - John T. > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Dan Gapinski" <DanGapinski@qsi-r2.com> > > > > > > To: "Collins, Kevin" <KCollins@nesbittengineering.com>; > > > > > > <samba@lists.samba.org> > > > > > > Sent: Wednesday, May 07, 2003 2:00 PM > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > BTW, > > > > > > > > > > > > > > were you looking for a drop-in replacement for your > > > > > current PDC? That > > > > > > might > > > > > > > require some doing. Like making it slave as a BDC before > > > > > promoting it to a > > > > > > > PDC, and I have not tried that, & don't know if its > > > > > possible. The docs > > > > > > might > > > > > > > though. > > > > > > > > > > > > > > Dan > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Collins, Kevin" <KCollins@nesbittengineering.com> > > > > > > > To: <samba@lists.samba.org> > > > > > > > Sent: Wednesday, May 07, 2003 3:33 PM > > > > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > > > > Hi All! > > > > > > > > > > > > > > > > Thanks to all of you that responded to my previous > > > > > posts. I've gotten a > > > > > > > lot > > > > > > > > more info now than I used to have! > > > > > > > > > > > > > > > > But I still have questions. The biggest right now is: > > > > > Is there a way > > > > > > > build > > > > > > > > up a Samba PDC as a direct replacement for an existing > > > > > Windows NT 4.0 > > > > > > PDC? > > > > > > > > > > > > > > > > All the material I've found to date is written from a > > > > > standpoint of > > > > > > > creating > > > > > > > > a new domain as you create the Samba machine. This > > > > > maybe what I have to > > > > > > > do > > > > > > > > in the end, but I would like to avoid it if possible. > > > > > > > > > > > > > > > > If there is a way, can someone point me to the right > > > > > place for the > > > > > > > > HOWTO/Documentation? As of right now, I'm not looking > > > > > for an LDAP > > > > > > > solution, > > > > > > > > but if that's what it takes, then that's where I'll go. > > > > > For what it's > > > > > > > > worth, the setup will be on Red Hat's "ES" Server (with > > > > > I think is RH > > > > > > 7.3 > > > > > > > > based) and Samba 2.2.8. > > > > > > > > > > > > > > > > Why do I need this? Because I have an existing > > > > > Exchange Server with a > > > > > > 4GB > > > > > > > > Information Store that I would have to rebuild as well > > > > > - not a pretty > > > > > > > > picture. If I can build the Samba PDC as a replacement > > > > > for the existing > > > > > > > > PDC, that's would what I'd like to do. > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > Kevin L. Collins, MCSE > > > > > > > > Systems Manager > > > > > > > > Nesbitt Engineering, Inc. > > > > > > > > > > > > > > > > (859) 233-3111 x24 > > > > > > > > -- > > > > > > > > To unsubscribe from this list go to the following URL > > > > > and read the > > > > > > > > instructions:http://lists.samba.org/mailman/listinfo/samba> > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > To unsubscribe from this list go to the following URL > > and read the > > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > John H Terpstra > > > > Email: jht@samba.org > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > -- > > John H Terpstra > > Email: jht@samba.org > > >-- John H Terpstra Email: jht@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
> -----Original Message----- > From: Collins, Kevin [mailto:KCollins@nesbittengineering.com] > Sent: Thursday, May 08, 2003 8:25 AM > To: samba@lists.samba.org > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > OK, just so were all on the same page.... :) > > As it stands right now, using Samba 2.2.x I can not do a "drop-in" > replacement for my WinNT PDC, I need to build a new domain > with the Samba > PDC at the core. As I don't have the time to wait on Samba > 3.x, I must move > on knowing the limitations and requirements of doing so. > > I understand the problem with Exchange 2000 requiring Active > Directory. I > have no intention of moving to Exchange 2000, so that's a non > issue. I'm > *seriously* looking for an open source solution to completely replace > Exchange anyway. But that's another fish for another day. >I faced a similar problem, and just dropped exchange: www.webbasedemail.com if you need polished squirrelmail if you just want functionality> My current domain design has three independent domains with > established > two-ways trusts. I understand that Samba 2.2.x doesn't do > trusts either, so > while I'm designing the new Samba domain, I'm probably going > to be building > *one* domain with at least two BDCs to replace the PDCs in > the other domains > I have now. > > Because this is a three-site setup that is connected by 128k > Frame-Relay > lines to form the WAN (hence the three NT domains), I > probably need the > robustness of an LDAP backend. This (I think) will allow me to create > "replicated" copies of the LDAP database in each of the three > sites (on the > Samba BDCs), so that they each can function independently of > each other if > the WAN goes down. It also should allow me to keep > authentication traffic > isolated to each site as well. >This works great for me> Because I'm maintaining an NT style setup with Samba 2.2.x, I > should be able > to have my existing Exchange 5.5 server authenticate against the Samba > PDC/BDCs. I haven't tested this, but from David Chait's comments I'm > assuming this is the case. I was planning on building a > Samba PDC in my lab > today to test this, but if anyone can give me a definite answer.... > > Do those with greater Samba experience than I agree with the > statements > above? > > BTW John T.: I appreciate the offer to call you if I need > help. Before > it's all over, I'm certain I'll do just that! Does 3:00 am > on Saturday work > for you? :-) > > Again thanks to all, I'm off to do more reading...now where > is that LDAP > HOWTO? > > -- > Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > > > > -----Original Message----- > > From: John H Terpstra [mailto:jht@samba.org] > > Sent: Wednesday, May 07, 2003 10:19 PM > > To: tech mail > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > Hey John..thanks for that..I think many of us (probably > > wrongfully) term BDC > > > as authentication, and then just leave it at that...which > > samba, as you > > > stated, does do. > > > > Samba-3 does MUCH more than that - it allows you to build > an NT4 style > > domain controller that has the robustness and scalability of Active > > Directory. But the design implementation will be VERY > > different from the > > way that ADS does it. > > > > I firmly believe that we have an alternative solution that > > for some people > > (many) will be a better solution than ADS. It has it's own > > unique features > > and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To > > say otherwise > > will earn us a scorn we will deserve. > > > > We need to get the message out that Samba offers and > > alternative that may > > be better, may be no better, and may not suit every site. But > > for those it > > does suit it is a sweet and dandy solution. > > > > - John T. > > > > > > > > I guess the way I look at it is, if you have a NT PDC, then > > you probably > > > have at least one other NT BDC...the SAMBA machine is used > > for a remote site > > > and authenticating.. > > > > > > If the PDC poo-poo's out, you have that other BDC which you > > can promote. I > > > couldn't imagine having a NT PDC with a bunch of samba machines > > > authenticating, because then, why not just take the plunge > > fully and go a > > > full samba controlled backend? > > > > > > So, as you said..it doesnt do all the bells and whistles > > that define an NT > > > BDC...but it does do the important part and lets you logon! > > > > > > ;) > > > > > > > -----Original Message----- > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > Sent: Wednesday, May 07, 2003 8:46 PM > > > > To: tech mail > > > > Cc: David Chait; samba@lists.samba.org; Dan Gapinski; > > Collins, Kevin > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > > > > > bit baffeld as to your statement about: > > > > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to an NT4 PDC > > > > > > > > > > maybe we are just on a different page, but with winbind, > > > > arent you able to > > > > > grab the user database from a remote NT4 PDC?? and then > > > > authenticate off > > > > > that? which would then be a BDC (for authentication > > > > puposes at least) > > > > > > > > Aparently we are on a different page! > > > > > > > > You really will need to read the new Samba-HOWTO-Collection > > > > some time (not > > > > released yet). This document is a work in progress. > > > > > > > > > please correct me where I am wrong, or where there may be > > > > miscommunication > > > > > > > > Wrong. Winbind does not do SAM replication! If it does then > > > > point me to > > > > the code that makes that happen. :) > > > > > > > > Full BDC functionality requires that the BDC will NOT ONLY > > > > authenticate > > > > domain logons, but also that it will partake fully in > > > > replication of the > > > > MS Windows NT4 domain security files (these are the files > > > > located on NT4 > > > > in C:\WinNT\System32\config), the files that partake in > > > > Domain Security > > > > are SAM and Security. Trust me, Samba does NOT have a Windows > > > > NT4 style > > > > Registry, even though Samba-3 does emulate some parts of it. > > > > > > > > But replication of all this data and the protocols needed > > to make that > > > > happen is NOT supported in Samba. This means Samba also does > > > > NOT have the > > > > protocols that trigger Domain Security account synchronisation. > > > > > > > > One more feature that the BDC/PDC code functionality premits > > > > is for BDCs > > > > to be promoted to PDCs which will cause a PDC to be demoted > > > > to BDC. Again, > > > > Samba does NOT support this functionality. > > > > > > > > In effect therefore we can not and must not claim that Samba > > > > CAN be a BDC > > > > to an NT4 PDC. That type of claim will cause trouble and > > disenchanted > > > > users. > > > > > > > > What should be noted though, is that Samba can do distributed > > > > authentication. There are a number of ways that can be done. > > > > Winbind is > > > > just one of them. But with winbind, if the PDC goes down, > > > > your BDC is out > > > > of operation (if that is what you are dependant on in your > > > > "BDC" design). > > > > > > > > I hope my answer is totally clear now. More so, I hope this > > > > brings us all > > > > onto the one page again. :) > > > > > > > > Cheers, > > > > John T. > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > > > Sent: Wednesday, May 07, 2003 4:22 PM > > > > > > To: David Chait > > > > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > On Wed, 7 May 2003, David Chait wrote: > > > > > > > > > > > > > Samba cannot act as a BDC, at least it couldn't > > last I checked. > > > > > > > > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. Samba-2.2.x and > > > > > > Samba-3.0.0 > > > > > > can not act as a BDC to an NT4 PDC. > > > > > > > > > > > > Samba-3.0.0 will offer a facility to migrate all accounts > > > > off an NT4 > > > > > > Domain to a Samba Domain. You CAN with Samba-3.0.0 > > > > > > transparently replace > > > > > > your PDC without having to reconfigure all workstations. > > > > > > Samba-3.0.0 is > > > > > > nearing going into Beta (and out of Alpha) soon. We are > > > > > > working hard to > > > > > > document this release VERY thouroughly. > > > > > > > > > > > > - John T. > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Dan Gapinski" <DanGapinski@qsi-r2.com> > > > > > > > To: "Collins, Kevin" <KCollins@nesbittengineering.com>; > > > > > > > <samba@lists.samba.org> > > > > > > > Sent: Wednesday, May 07, 2003 2:00 PM > > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > > > > BTW, > > > > > > > > > > > > > > > > were you looking for a drop-in replacement for your > > > > > > current PDC? That > > > > > > > might > > > > > > > > require some doing. Like making it slave as a BDC before > > > > > > promoting it to a > > > > > > > > PDC, and I have not tried that, & don't know if its > > > > > > possible. The docs > > > > > > > might > > > > > > > > though. > > > > > > > > > > > > > > > > Dan > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Collins, Kevin" <KCollins@nesbittengineering.com> > > > > > > > > To: <samba@lists.samba.org> > > > > > > > > Sent: Wednesday, May 07, 2003 3:33 PM > > > > > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > > > > > > > Hi All! > > > > > > > > > > > > > > > > > > Thanks to all of you that responded to my previous > > > > > > posts. I've gotten a > > > > > > > > lot > > > > > > > > > more info now than I used to have! > > > > > > > > > > > > > > > > > > But I still have questions. The biggest right now is: > > > > > > Is there a way > > > > > > > > build > > > > > > > > > up a Samba PDC as a direct replacement for an existing > > > > > > Windows NT 4.0 > > > > > > > PDC? > > > > > > > > > > > > > > > > > > All the material I've found to date is written from a > > > > > > standpoint of > > > > > > > > creating > > > > > > > > > a new domain as you create the Samba machine. This > > > > > > maybe what I have to > > > > > > > > do > > > > > > > > > in the end, but I would like to avoid it if possible. > > > > > > > > > > > > > > > > > > If there is a way, can someone point me to the right > > > > > > place for the > > > > > > > > > HOWTO/Documentation? As of right now, I'm not looking > > > > > > for an LDAP > > > > > > > > solution, > > > > > > > > > but if that's what it takes, then that's > where I'll go. > > > > > > For what it's > > > > > > > > > worth, the setup will be on Red Hat's "ES" > Server (with > > > > > > I think is RH > > > > > > > 7.3 > > > > > > > > > based) and Samba 2.2.8. > > > > > > > > > > > > > > > > > > Why do I need this? Because I have an existing > > > > > > Exchange Server with a > > > > > > > 4GB > > > > > > > > > Information Store that I would have to rebuild as well > > > > > > - not a pretty > > > > > > > > > picture. If I can build the Samba PDC as a > replacement > > > > > > for the existing > > > > > > > > > PDC, that's would what I'd like to do. > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > Kevin L. Collins, MCSE > > > > > > > > > Systems Manager > > > > > > > > > Nesbitt Engineering, Inc. > > > > > > > > > > > > > > > > > > (859) 233-3111 x24 > > > > > > > > > -- > > > > > > > > > To unsubscribe from this list go to the following URL > > > > > > and read the > > > > > > > > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > To unsubscribe from this list go to the following URL > > > and read the > > > > > > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > John H Terpstra > > > > > Email: jht@samba.org > > > > > -- > > > > > To unsubscribe from this list go to the following URL > and read the > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > -- > > > John H Terpstra > > > Email: jht@samba.org > > > > > > > -- > John H Terpstra > Email: jht@samba.org > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
OK, I've run aground on my first attempt at building my test Samba/LDAP PDC...surprise, surprise. ;-) I've been trying for about 3 hours to build Samba from the Source RPM that RedHat supplies with RedHat 8.0. Everytime I build the RPM it fails during the compile of SAMBA with: "--with-ldapsam Command not found." The process I've used to get to where I am is: Modified the "/usr/src/redhat/SPEC/samba.spec" file to include the line "--with-ldapsam" at the end of the configure options. I go to build the RPM with the command "rpmbuild -ba /usr/src/redhat/SPEC/samba.spec", and the machine begins to whir. After about 3 minutes of churning, I get the error I mentioned. I'm thinking this is because of the time differences between the HOWTOs I've looked at and the version of SAMBA that I'm using (2.2.5-10 by RedHat). Maybe the "--with-ldapsam" option has changed or is built in? Can anyone give me a pointer? I'm using all stock RedHat 8 stuff: Samba 2.2.5-10 OpenLDAP 2.0.25-xx I'm trying to build an RPM set from the Source RPM that RedHat provides. This way I can use the rebuilt RPM when I go to build my real server later on. Thanks in advance, Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc.> -----Original Message----- > From: John H Terpstra [mailto:jht@samba.org] > Sent: Thursday, May 08, 2003 11:15 AM > To: Collins, Kevin > Cc: samba@lists.samba.org > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > On Thu, 8 May 2003, Collins, Kevin wrote: > > > OK, just so were all on the same page.... :) > > > > As it stands right now, using Samba 2.2.x I can not do a "drop-in" > > replacement for my WinNT PDC, I need to build a new domain > with the Samba > > PDC at the core. As I don't have the time to wait on Samba > 3.x, I must move > > on knowing the limitations and requirements of doing so. > > As a matter of fact, Samba-2.2.x can be a drop-in replacement for NT4 > PDC but you need to jump through hoops to mirate the SAM to LDAP (only > back end that will approach your needs). > > Your best choice at this time is to work with Samba-3 (it should be in > official Beta soon and your feedback might actually help > accellerate it's > maturation). I would still use LDAP, but note that there will > be a schema > change for samba-3, which is why I'd put myself through the > pain barrier > once - not twice (NT4 -> Samba-2.2..x -> Samba-3). > > > I understand the problem with Exchange 2000 requiring > Active Directory. I > > have no intention of moving to Exchange 2000, so that's a > non issue. I'm > > *seriously* looking for an open source solution to > completely replace > > Exchange anyway. But that's another fish for another day. > > Ok. > > > My current domain design has three independent domains with > established > > two-ways trusts. I understand that Samba 2.2.x doesn't do > trusts either, so > > while I'm designing the new Samba domain, I'm probably > going to be building > > *one* domain with at least two BDCs to replace the PDCs in > the other domains > > I have now. > > I'd shoot for one sinlge domain. It is administratively more > manageable, > > > Because this is a three-site setup that is connected by > 128k Frame-Relay > > lines to form the WAN (hence the three NT domains), I > probably need the > > robustness of an LDAP backend. This (I think) will allow > me to create > > "replicated" copies of the LDAP database in each of the > three sites (on the > > Samba BDCs), so that they each can function independently > of each other if > > the WAN goes down. It also should allow me to keep > authentication traffic > > isolated to each site as well. > > Yep. > > > Because I'm maintaining an NT style setup with Samba 2.2.x, > I should be able > > to have my existing Exchange 5.5 server authenticate > against the Samba > > PDC/BDCs. I haven't tested this, but from David Chait's > comments I'm > > assuming this is the case. I was planning on building a > Samba PDC in my lab > > today to test this, but if anyone can give me a definite answer.... > > Should be Ok. > > > Do those with greater Samba experience than I agree with > the statements > > above? > > Experts are experts because they never agree with each other! :-) > > > BTW John T.: I appreciate the offer to call you if I need > help. Before > > it's all over, I'm certain I'll do just that! Does 3:00 am > on Saturday work > > for you? :-) > > 3:00am my time or yours? If mine, can you afford tthe fee? :-) > > > > > Again thanks to all, I'm off to do more reading...now > where is that LDAP > > HOWTO? > > Cheers, > John T. > > > > > -- > > Kevin L. Collins, MCSE > > Systems Manager > > Nesbitt Engineering, Inc. > > > > > > > > > -----Original Message----- > > > From: John H Terpstra [mailto:jht@samba.org] > > > Sent: Wednesday, May 07, 2003 10:19 PM > > > To: tech mail > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > > > Hey John..thanks for that..I think many of us (probably > > > wrongfully) term BDC > > > > as authentication, and then just leave it at that...which > > > samba, as you > > > > stated, does do. > > > > > > Samba-3 does MUCH more than that - it allows you to build > an NT4 style > > > domain controller that has the robustness and scalability > of Active > > > Directory. But the design implementation will be VERY > > > different from the > > > way that ADS does it. > > > > > > I firmly believe that we have an alternative solution that > > > for some people > > > (many) will be a better solution than ADS. It has it's own > > > unique features > > > and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To > > > say otherwise > > > will earn us a scorn we will deserve. > > > > > > We need to get the message out that Samba offers and > > > alternative that may > > > be better, may be no better, and may not suit every site. But > > > for those it > > > does suit it is a sweet and dandy solution. > > > > > > - John T. > > > > > > > > > > > I guess the way I look at it is, if you have a NT PDC, then > > > you probably > > > > have at least one other NT BDC...the SAMBA machine is used > > > for a remote site > > > > and authenticating.. > > > > > > > > If the PDC poo-poo's out, you have that other BDC which you > > > can promote. I > > > > couldn't imagine having a NT PDC with a bunch of samba machines > > > > authenticating, because then, why not just take the plunge > > > fully and go a > > > > full samba controlled backend? > > > > > > > > So, as you said..it doesnt do all the bells and whistles > > > that define an NT > > > > BDC...but it does do the important part and lets you logon! > > > > > > > > ;) > > > > > > > > > -----Original Message----- > > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > > Sent: Wednesday, May 07, 2003 8:46 PM > > > > > To: tech mail > > > > > Cc: David Chait; samba@lists.samba.org; Dan Gapinski; > > > Collins, Kevin > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > > > > > > > bit baffeld as to your statement about: > > > > > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to > an NT4 PDC > > > > > > > > > > > > maybe we are just on a different page, but with winbind, > > > > > arent you able to > > > > > > grab the user database from a remote NT4 PDC?? and then > > > > > authenticate off > > > > > > that? which would then be a BDC (for authentication > > > > > puposes at least) > > > > > > > > > > Aparently we are on a different page! > > > > > > > > > > You really will need to read the new Samba-HOWTO-Collection > > > > > some time (not > > > > > released yet). This document is a work in progress. > > > > > > > > > > > please correct me where I am wrong, or where there may be > > > > > miscommunication > > > > > > > > > > Wrong. Winbind does not do SAM replication! If it does then > > > > > point me to > > > > > the code that makes that happen. :) > > > > > > > > > > Full BDC functionality requires that the BDC will NOT ONLY > > > > > authenticate > > > > > domain logons, but also that it will partake fully in > > > > > replication of the > > > > > MS Windows NT4 domain security files (these are the files > > > > > located on NT4 > > > > > in C:\WinNT\System32\config), the files that partake in > > > > > Domain Security > > > > > are SAM and Security. Trust me, Samba does NOT have a Windows > > > > > NT4 style > > > > > Registry, even though Samba-3 does emulate some parts of it. > > > > > > > > > > But replication of all this data and the protocols needed > > > to make that > > > > > happen is NOT supported in Samba. This means Samba also does > > > > > NOT have the > > > > > protocols that trigger Domain Security account > synchronisation. > > > > > > > > > > One more feature that the BDC/PDC code functionality premits > > > > > is for BDCs > > > > > to be promoted to PDCs which will cause a PDC to be demoted > > > > > to BDC. Again, > > > > > Samba does NOT support this functionality. > > > > > > > > > > In effect therefore we can not and must not claim that Samba > > > > > CAN be a BDC > > > > > to an NT4 PDC. That type of claim will cause trouble and > > > disenchanted > > > > > users. > > > > > > > > > > What should be noted though, is that Samba can do distributed > > > > > authentication. There are a number of ways that can be done. > > > > > Winbind is > > > > > just one of them. But with winbind, if the PDC goes down, > > > > > your BDC is out > > > > > of operation (if that is what you are dependant on in your > > > > > "BDC" design). > > > > > > > > > > I hope my answer is totally clear now. More so, I hope this > > > > > brings us all > > > > > onto the one page again. :) > > > > > > > > > > Cheers, > > > > > John T. > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > > > > Sent: Wednesday, May 07, 2003 4:22 PM > > > > > > > To: David Chait > > > > > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > > > On Wed, 7 May 2003, David Chait wrote: > > > > > > > > > > > > > > > Samba cannot act as a BDC, at least it couldn't > > > last I checked. > > > > > > > > > > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. > Samba-2.2.x and > > > > > > > Samba-3.0.0 > > > > > > > can not act as a BDC to an NT4 PDC. > > > > > > > > > > > > > > Samba-3.0.0 will offer a facility to migrate all accounts > > > > > off an NT4 > > > > > > > Domain to a Samba Domain. You CAN with Samba-3.0.0 > > > > > > > transparently replace > > > > > > > your PDC without having to reconfigure all workstations. > > > > > > > Samba-3.0.0 is > > > > > > > nearing going into Beta (and out of Alpha) soon. We are > > > > > > > working hard to > > > > > > > document this release VERY thouroughly. > > > > > > > > > > > > > > - John T. > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Dan Gapinski" <DanGapinski@qsi-r2.com> > > > > > > > > To: "Collins, Kevin" <KCollins@nesbittengineering.com>; > > > > > > > > <samba@lists.samba.org> > > > > > > > > Sent: Wednesday, May 07, 2003 2:00 PM > > > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with > Samba PDC > > > > > > > > > > > > > > > > > > > > > > > > > BTW, > > > > > > > > > > > > > > > > > > were you looking for a drop-in replacement for your > > > > > > > current PDC? That > > > > > > > > might > > > > > > > > > require some doing. Like making it slave as a > BDC before > > > > > > > promoting it to a > > > > > > > > > PDC, and I have not tried that, & don't know if its > > > > > > > possible. The docs > > > > > > > > might > > > > > > > > > though. > > > > > > > > > > > > > > > > > > Dan > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > From: "Collins, Kevin" > <KCollins@nesbittengineering.com> > > > > > > > > > To: <samba@lists.samba.org> > > > > > > > > > Sent: Wednesday, May 07, 2003 3:33 PM > > > > > > > > > Subject: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi All! > > > > > > > > > > > > > > > > > > > > Thanks to all of you that responded to my previous > > > > > > > posts. I've gotten a > > > > > > > > > lot > > > > > > > > > > more info now than I used to have! > > > > > > > > > > > > > > > > > > > > But I still have questions. The biggest > right now is: > > > > > > > Is there a way > > > > > > > > > build > > > > > > > > > > up a Samba PDC as a direct replacement for > an existing > > > > > > > Windows NT 4.0 > > > > > > > > PDC? > > > > > > > > > > > > > > > > > > > > All the material I've found to date is > written from a > > > > > > > standpoint of > > > > > > > > > creating > > > > > > > > > > a new domain as you create the Samba machine. This > > > > > > > maybe what I have to > > > > > > > > > do > > > > > > > > > > in the end, but I would like to avoid it if > possible. > > > > > > > > > > > > > > > > > > > > If there is a way, can someone point me to the right > > > > > > > place for the > > > > > > > > > > HOWTO/Documentation? As of right now, I'm > not looking > > > > > > > for an LDAP > > > > > > > > > solution, > > > > > > > > > > but if that's what it takes, then that's > where I'll go. > > > > > > > For what it's > > > > > > > > > > worth, the setup will be on Red Hat's "ES" > Server (with > > > > > > > I think is RH > > > > > > > > 7.3 > > > > > > > > > > based) and Samba 2.2.8. > > > > > > > > > > > > > > > > > > > > Why do I need this? Because I have an existing > > > > > > > Exchange Server with a > > > > > > > > 4GB > > > > > > > > > > Information Store that I would have to > rebuild as well > > > > > > > - not a pretty > > > > > > > > > > picture. If I can build the Samba PDC as a > replacement > > > > > > > for the existing > > > > > > > > > > PDC, that's would what I'd like to do. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > Kevin L. Collins, MCSE > > > > > > > > > > Systems Manager > > > > > > > > > > Nesbitt Engineering, Inc. > > > > > > > > > > > > > > > > > > > > (859) 233-3111 x24 > > > > > > > > > > -- > > > > > > > > > > To unsubscribe from this list go to the > following URL > > > > > > > and read the > > > > > > > > > > instructions: > > http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > To unsubscribe from this list go to the following URL > > > > and read the > > > > > > > > instructions:http://lists.samba.org/mailman/listinfo/samba> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > John H Terpstra > > > > > Email: jht@samba.org > > > > > -- > > > > > To unsubscribe from this list go to the following URL and read the > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > -- > > > John H Terpstra > > > Email: jht@samba.org > > > > > > >-- John H Terpstra Email: jht@samba.org
Giulio:> As for 1), maybe you had something like > > --with-stuff1 \ > --with-stuff2 > --with-ldapsamThis is not the way I did it....> you forgot to add a \ at the end of the above line (no spaced > after \). > > --with-stuff1 \ > --with-stuff2 \^^^ (You actually should only have one space here, right? ;-) )> --with-ldapsam >This is the way I did it: --with-stuff1 \ --with-stuff2 \ # NEI Modifications --with-ldapsam --> I've attached the samba.spec file for inspection. <-- Here is the actual error message I get: ---------------------<snipped from screen>------------------------ creating include/config.h + --with-ldapsam /var/tmp/rpm-tmp.73831: line 70: --with-ldapsam: command not found error: Bad exit status from /var/tmp/rpm-tmp.73831 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.73831 (%build)
> --> I've attached the samba.spec file for inspection. <--Well I *meant to*. ;-) I did on this one. Kevin
On Thu, 8 May 2003 15:08:14 -0400 , "Collins, Kevin" <KCollins@nesbittengineering.com> wrote:>> you forgot to add a \ at the end of the above line (no spaced >> after \). >> >> --with-stuff1 \ >> --with-stuff2 \^^^>(You actually should only have one space here, right? ;-) )No :-) You can put spaces and tabs before \, but nothing after it.>This is the way I did it: > > --with-stuff1 \ > --with-stuff2 \ ># NEI Modifications > --with-ldapsamThe above is not correct. you cannot intermix line(s) without \ ad keep the command "united". So change it to --with-stuff1 \ --with-stuff2 \ --with-ldapsam or maybe --with-stuff1 \ --with-stuff2 \ --with-ldapsam # NEI Modifications -- giulioo@pobox.com
I had a dickens of a time with that as well, andfound this link useful: http://samba.idealx.org/samba-ldap-howto.pdf do a search for SPECS and it takes you right to the spot..which seems like what you did, but there may be a missing little something that this will key in on> -----Original Message----- > From: Collins, Kevin [mailto:KCollins@nesbittengineering.com] > Sent: Thursday, May 08, 2003 1:08 PM > To: samba@lists.samba.org > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > OK, I've run aground on my first attempt at building my test > Samba/LDAP > PDC...surprise, surprise. ;-) > > I've been trying for about 3 hours to build Samba from the > Source RPM that > RedHat supplies with RedHat 8.0. Everytime I build the RPM > it fails during > the compile of SAMBA with: "--with-ldapsam Command not found." > > The process I've used to get to where I am is: > > Modified the "/usr/src/redhat/SPEC/samba.spec" file to > include the line > "--with-ldapsam" at the end of the configure options. I go > to build the RPM > with the command "rpmbuild -ba > /usr/src/redhat/SPEC/samba.spec", and the > machine begins to whir. After about 3 minutes of churning, I > get the error > I mentioned. > > I'm thinking this is because of the time differences between > the HOWTOs I've > looked at and the version of SAMBA that I'm using (2.2.5-10 > by RedHat). > Maybe the "--with-ldapsam" option has changed or is built in? > Can anyone > give me a pointer? > > I'm using all stock RedHat 8 stuff: > Samba 2.2.5-10 > OpenLDAP 2.0.25-xx > > I'm trying to build an RPM set from the Source RPM that > RedHat provides. > This way I can use the rebuilt RPM when I go to build my real > server later > on. > > Thanks in advance, > > Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > > > -----Original Message----- > > From: John H Terpstra [mailto:jht@samba.org] > > Sent: Thursday, May 08, 2003 11:15 AM > > To: Collins, Kevin > > Cc: samba@lists.samba.org > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > On Thu, 8 May 2003, Collins, Kevin wrote: > > > > > OK, just so were all on the same page.... :) > > > > > > As it stands right now, using Samba 2.2.x I can not do a "drop-in" > > > replacement for my WinNT PDC, I need to build a new domain > > with the Samba > > > PDC at the core. As I don't have the time to wait on Samba > > 3.x, I must move > > > on knowing the limitations and requirements of doing so. > > > > As a matter of fact, Samba-2.2.x can be a drop-in > replacement for NT4 > > PDC but you need to jump through hoops to mirate the SAM to > LDAP (only > > back end that will approach your needs). > > > > Your best choice at this time is to work with Samba-3 (it > should be in > > official Beta soon and your feedback might actually help > > accellerate it's > > maturation). I would still use LDAP, but note that there will > > be a schema > > change for samba-3, which is why I'd put myself through the > > pain barrier > > once - not twice (NT4 -> Samba-2.2..x -> Samba-3). > > > > > I understand the problem with Exchange 2000 requiring > > Active Directory. I > > > have no intention of moving to Exchange 2000, so that's a > > non issue. I'm > > > *seriously* looking for an open source solution to > > completely replace > > > Exchange anyway. But that's another fish for another day. > > > > Ok. > > > > > My current domain design has three independent domains with > > established > > > two-ways trusts. I understand that Samba 2.2.x doesn't do > > trusts either, so > > > while I'm designing the new Samba domain, I'm probably > > going to be building > > > *one* domain with at least two BDCs to replace the PDCs in > > the other domains > > > I have now. > > > > I'd shoot for one sinlge domain. It is administratively more > > manageable, > > > > > Because this is a three-site setup that is connected by > > 128k Frame-Relay > > > lines to form the WAN (hence the three NT domains), I > > probably need the > > > robustness of an LDAP backend. This (I think) will allow > > me to create > > > "replicated" copies of the LDAP database in each of the > > three sites (on the > > > Samba BDCs), so that they each can function independently > > of each other if > > > the WAN goes down. It also should allow me to keep > > authentication traffic > > > isolated to each site as well. > > > > Yep. > > > > > Because I'm maintaining an NT style setup with Samba 2.2.x, > > I should be able > > > to have my existing Exchange 5.5 server authenticate > > against the Samba > > > PDC/BDCs. I haven't tested this, but from David Chait's > > comments I'm > > > assuming this is the case. I was planning on building a > > Samba PDC in my lab > > > today to test this, but if anyone can give me a definite > answer.... > > > > Should be Ok. > > > > > Do those with greater Samba experience than I agree with > > the statements > > > above? > > > > Experts are experts because they never agree with each other! :-) > > > > > BTW John T.: I appreciate the offer to call you if I need > > help. Before > > > it's all over, I'm certain I'll do just that! Does 3:00 am > > on Saturday work > > > for you? :-) > > > > 3:00am my time or yours? If mine, can you afford tthe fee? :-) > > > > > > > > Again thanks to all, I'm off to do more reading...now > > where is that LDAP > > > HOWTO? > > > > Cheers, > > John T. > > > > > > > > -- > > > Kevin L. Collins, MCSE > > > Systems Manager > > > Nesbitt Engineering, Inc. > > > > > > > > > > > > > -----Original Message----- > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > Sent: Wednesday, May 07, 2003 10:19 PM > > > > To: tech mail > > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > > > > > Hey John..thanks for that..I think many of us (probably > > > > wrongfully) term BDC > > > > > as authentication, and then just leave it at that...which > > > > samba, as you > > > > > stated, does do. > > > > > > > > Samba-3 does MUCH more than that - it allows you to build > > an NT4 style > > > > domain controller that has the robustness and scalability > > of Active > > > > Directory. But the design implementation will be VERY > > > > different from the > > > > way that ADS does it. > > > > > > > > I firmly believe that we have an alternative solution that > > > > for some people > > > > (many) will be a better solution than ADS. It has it's own > > > > unique features > > > > and benefits. BUT, it is NOT NT4 PDC/DBC! It is NOT ADS! To > > > > say otherwise > > > > will earn us a scorn we will deserve. > > > > > > > > We need to get the message out that Samba offers and > > > > alternative that may > > > > be better, may be no better, and may not suit every site. But > > > > for those it > > > > does suit it is a sweet and dandy solution. > > > > > > > > - John T. > > > > > > > > > > > > > > I guess the way I look at it is, if you have a NT PDC, then > > > > you probably > > > > > have at least one other NT BDC...the SAMBA machine is used > > > > for a remote site > > > > > and authenticating.. > > > > > > > > > > If the PDC poo-poo's out, you have that other BDC which you > > > > can promote. I > > > > > couldn't imagine having a NT PDC with a bunch of > samba machines > > > > > authenticating, because then, why not just take the plunge > > > > fully and go a > > > > > full samba controlled backend? > > > > > > > > > > So, as you said..it doesnt do all the bells and whistles > > > > that define an NT > > > > > BDC...but it does do the important part and lets you logon! > > > > > > > > > > ;) > > > > > > > > > > > -----Original Message----- > > > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > > > Sent: Wednesday, May 07, 2003 8:46 PM > > > > > > To: tech mail > > > > > > Cc: David Chait; samba@lists.samba.org; Dan Gapinski; > > > > Collins, Kevin > > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > On Wed, 7 May 2003, tech mail wrote: > > > > > > > > > > > > > bit baffeld as to your statement about: > > > > > > > Samba-2.2.x and Samba-3.0.0 can not act as a BDC to > > an NT4 PDC > > > > > > > > > > > > > > maybe we are just on a different page, but with winbind, > > > > > > arent you able to > > > > > > > grab the user database from a remote NT4 PDC?? and then > > > > > > authenticate off > > > > > > > that? which would then be a BDC (for authentication > > > > > > puposes at least) > > > > > > > > > > > > Aparently we are on a different page! > > > > > > > > > > > > You really will need to read the new Samba-HOWTO-Collection > > > > > > some time (not > > > > > > released yet). This document is a work in progress. > > > > > > > > > > > > > please correct me where I am wrong, or where there may be > > > > > > miscommunication > > > > > > > > > > > > Wrong. Winbind does not do SAM replication! If it does then > > > > > > point me to > > > > > > the code that makes that happen. :) > > > > > > > > > > > > Full BDC functionality requires that the BDC will NOT ONLY > > > > > > authenticate > > > > > > domain logons, but also that it will partake fully in > > > > > > replication of the > > > > > > MS Windows NT4 domain security files (these are the files > > > > > > located on NT4 > > > > > > in C:\WinNT\System32\config), the files that partake in > > > > > > Domain Security > > > > > > are SAM and Security. Trust me, Samba does NOT have > a Windows > > > > > > NT4 style > > > > > > Registry, even though Samba-3 does emulate some parts of it. > > > > > > > > > > > > But replication of all this data and the protocols needed > > > > to make that > > > > > > happen is NOT supported in Samba. This means Samba also does > > > > > > NOT have the > > > > > > protocols that trigger Domain Security account > > synchronisation. > > > > > > > > > > > > One more feature that the BDC/PDC code functionality premits > > > > > > is for BDCs > > > > > > to be promoted to PDCs which will cause a PDC to be demoted > > > > > > to BDC. Again, > > > > > > Samba does NOT support this functionality. > > > > > > > > > > > > In effect therefore we can not and must not claim that Samba > > > > > > CAN be a BDC > > > > > > to an NT4 PDC. That type of claim will cause trouble and > > > > disenchanted > > > > > > users. > > > > > > > > > > > > What should be noted though, is that Samba can do > distributed > > > > > > authentication. There are a number of ways that can be done. > > > > > > Winbind is > > > > > > just one of them. But with winbind, if the PDC goes down, > > > > > > your BDC is out > > > > > > of operation (if that is what you are dependant on in your > > > > > > "BDC" design). > > > > > > > > > > > > I hope my answer is totally clear now. More so, I hope this > > > > > > brings us all > > > > > > onto the one page again. :) > > > > > > > > > > > > Cheers, > > > > > > John T. > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: John H Terpstra [mailto:jht@samba.org] > > > > > > > > Sent: Wednesday, May 07, 2003 4:22 PM > > > > > > > > To: David Chait > > > > > > > > Cc: samba@lists.samba.org; Dan Gapinski; Collins, Kevin > > > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with > Samba PDC > > > > > > > > > > > > > > > > > > > > > > > > On Wed, 7 May 2003, David Chait wrote: > > > > > > > > > > > > > > > > > Samba cannot act as a BDC, at least it couldn't > > > > last I checked. > > > > > > > > > > > > > > > > Samba-2.2.x CAN act as a BDC to a Samba PDC. > > Samba-2.2.x and > > > > > > > > Samba-3.0.0 > > > > > > > > can not act as a BDC to an NT4 PDC. > > > > > > > > > > > > > > > > Samba-3.0.0 will offer a facility to migrate > all accounts > > > > > > off an NT4 > > > > > > > > Domain to a Samba Domain. You CAN with Samba-3.0.0 > > > > > > > > transparently replace > > > > > > > > your PDC without having to reconfigure all workstations. > > > > > > > > Samba-3.0.0 is > > > > > > > > nearing going into Beta (and out of Alpha) soon. We are > > > > > > > > working hard to > > > > > > > > document this release VERY thouroughly. > > > > > > > > > > > > > > > > - John T. > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > From: "Dan Gapinski" <DanGapinski@qsi-r2.com> > > > > > > > > > To: "Collins, Kevin" > <KCollins@nesbittengineering.com>; > > > > > > > > > <samba@lists.samba.org> > > > > > > > > > Sent: Wednesday, May 07, 2003 2:00 PM > > > > > > > > > Subject: Re: [Samba] Replacing WinNT 4 PDC with > > Samba PDC > > > > > > > > > > > > > > > > > > > > > > > > > > > > BTW, > > > > > > > > > > > > > > > > > > > > were you looking for a drop-in replacement for your > > > > > > > > current PDC? That > > > > > > > > > might > > > > > > > > > > require some doing. Like making it slave as a > > BDC before > > > > > > > > promoting it to a > > > > > > > > > > PDC, and I have not tried that, & don't know if its > > > > > > > > possible. The docs > > > > > > > > > might > > > > > > > > > > though. > > > > > > > > > > > > > > > > > > > > Dan > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > > > From: "Collins, Kevin" > > <KCollins@nesbittengineering.com> > > > > > > > > > > To: <samba@lists.samba.org> > > > > > > > > > > Sent: Wednesday, May 07, 2003 3:33 PM > > > > > > > > > > Subject: [Samba] Replacing WinNT 4 PDC with > Samba PDC > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi All! > > > > > > > > > > > > > > > > > > > > > > Thanks to all of you that responded to my previous > > > > > > > > posts. I've gotten a > > > > > > > > > > lot > > > > > > > > > > > more info now than I used to have! > > > > > > > > > > > > > > > > > > > > > > But I still have questions. The biggest > > right now is: > > > > > > > > Is there a way > > > > > > > > > > build > > > > > > > > > > > up a Samba PDC as a direct replacement for > > an existing > > > > > > > > Windows NT 4.0 > > > > > > > > > PDC? > > > > > > > > > > > > > > > > > > > > > > All the material I've found to date is > > written from a > > > > > > > > standpoint of > > > > > > > > > > creating > > > > > > > > > > > a new domain as you create the Samba > machine. This > > > > > > > > maybe what I have to > > > > > > > > > > do > > > > > > > > > > > in the end, but I would like to avoid it if > > possible. > > > > > > > > > > > > > > > > > > > > > > If there is a way, can someone point me > to the right > > > > > > > > place for the > > > > > > > > > > > HOWTO/Documentation? As of right now, I'm > > not looking > > > > > > > > for an LDAP > > > > > > > > > > solution, > > > > > > > > > > > but if that's what it takes, then that's > > where I'll go. > > > > > > > > For what it's > > > > > > > > > > > worth, the setup will be on Red Hat's "ES" > > Server (with > > > > > > > > I think is RH > > > > > > > > > 7.3 > > > > > > > > > > > based) and Samba 2.2.8. > > > > > > > > > > > > > > > > > > > > > > Why do I need this? Because I have an existing > > > > > > > > Exchange Server with a > > > > > > > > > 4GB > > > > > > > > > > > Information Store that I would have to > > rebuild as well > > > > > > > > - not a pretty > > > > > > > > > > > picture. If I can build the Samba PDC as a > > replacement > > > > > > > > for the existing > > > > > > > > > > > PDC, that's would what I'd like to do. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > Kevin L. Collins, MCSE > > > > > > > > > > > Systems Manager > > > > > > > > > > > Nesbitt Engineering, Inc. > > > > > > > > > > > > > > > > > > > > > > (859) 233-3111 x24 > > > > > > > > > > > -- > > > > > > > > > > > To unsubscribe from this list go to the > > following URL > > > > > > > > and read the > > > > > > > > > > > instructions: > > > http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > To unsubscribe from this list go to the following URL > > > > > and read the > > > > > > > > > instructions: > http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > John H Terpstra > > > > > > Email: jht@samba.org > > > > > > -- > > > > > > To unsubscribe from this list go to the following > URL and read the > > > > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > -- > > > > John H Terpstra > > > > Email: jht@samba.org > > > > > > > > > > > > > -- > John H Terpstra > Email: jht@samba.org > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
>The above is not correct. >you cannot intermix line(s) without \ ad keep the command "united". >So change it to >--with-stuff1 \ >--with-stuff2 \ >--with-ldapsam > >or maybe >--with-stuff1 \ >--with-stuff2 \ >--with-ldapsam # NEI ModificationsThe best way is to insert any additional lines in between existing ones instead of at the end, that way you don't get caught out, says me from experience ;)
My question relates to your network design. With one only pdc all your logon traffic (profile stuff) will be routed across your frame relay links.( I don't believe samba can be configured as a logon server if it isn't a pdc.) I hope i'm wrong here? Which means the logon traffic for even a small no of users will probably saturate your wan links, leading to slow logon-logoff times. Richard Coates. On Fri, 2003-05-09 at 23:31, Chris McKeever wrote:> I am using ldap for user database replication.. > security=user > > so far it seems to be working great > > > > -----Original Message----- > > From: richard [mailto:rcoates@bigpond.net.au] > > Sent: Friday, May 09, 2003 5:02 AM > > To: Chris McKeever > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > re your proposed network design....1 samba pdc linked to samba bdcs > > across wan links. > > correct me if i'm wrong here, but I didn't think samba could > > be a logon > > server without acting as pdc also? (didn't work in my tests). > > This means all your logon traffic routes across frame relay > > links, which > > is why we used local office pdcs. > > Richard Coates. > >
My question was simply to make you aware of possible bottle-necks in your network design. Make sure you read Skippys doc carefully. I'm not sure his auth "trick" still works with current samba. On Sat, 2003-05-10 at 19:51, Chris McKeever wrote:> when you refer to PDC, what global attributes are you referring to and thier > value ??? > > local master ? > domain master ? > domain logons ? > security ? > > lets get on the same page with and go from there...everyone defines PDC > slightly different with respect to thier overall design. > > from this artice: http://www.skippy.net/linux/smb-howto.html > it mentions that his scheme falls back to user if the line goes down. > > from my test with security=user domain logons=yes, I had an entire office > complain that they couldn''t log in one morning .. reason: I hadn't synced > the databases yet .. there was an NT BDC in that subnet but for those > machines that found the Linux bdc, it used it for the logon authentication > .. these are win98 machines .. tests with XP arent till next week > > > > > -----Original Message----- > > From: richard [mailto:rcoates@bigpond.net.au] > > Sent: Saturday, May 10, 2003 3:01 AM > > To: Chris McKeever > > Cc: samba@lists.samba.org > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > My question relates to your network design. With one only pdc all your > > logon traffic (profile stuff) will be routed across your frame relay > > links.( I don't believe samba can be configured as a logon > > server if it > > isn't a pdc.) I hope i'm wrong here? Which means the logon traffic for > > even a small no of users will probably saturate your wan > > links, leading > > to slow logon-logoff times. > > Richard Coates. > > > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote: > > > I am using ldap for user database replication.. > > > security=user > > > > > > so far it seems to be working great > > > > > > > > > > -----Original Message----- > > > > From: richard [mailto:rcoates@bigpond.net.au] > > > > Sent: Friday, May 09, 2003 5:02 AM > > > > To: Chris McKeever > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > re your proposed network design....1 samba pdc linked to > > samba bdcs > > > > across wan links. > > > > correct me if i'm wrong here, but I didn't think samba could > > > > be a logon > > > > server without acting as pdc also? (didn't work in my tests). > > > > This means all your logon traffic routes across frame relay > > > > links, which > > > > is why we used local office pdcs. > > > > Richard Coates. > > > > > >
> >The above is not correct. > >you cannot intermix line(s) without \ ad keep the command "united". > >So change it to > >--with-stuff1 \ > >--with-stuff2 \ > >--with-ldapsam > > > >or maybe > >--with-stuff1 \ > >--with-stuff2 \ > >--with-ldapsam # NEI ModificationsPeter: You were correct. After removing the comment between the last of the Red Hat config options and my config options, the build went properly. It went so properly in fact, that I was able to construct my first LDAP enabled Samba PDC on Friday and was even able to join a workstation to it and authenticate a logon properly! WHOOOOOOHOOOOOOO! :-) I'm going to try and re-create the process today and document it on paper. Thanks again for your help. Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc.> > > The best way is to insert any additional lines in between > existing ones > instead of at the end, that way you don't get caught out, > says me from > experience ;) > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Ok, I'm confused now..... Let me try to explain the way I see it and someone PLEASE correct me if I'm wrong. I'm in the early planning stages and now is the time to change something if I need to. The way I understand it, IF I have Samba configured to use an LDAP backend, then I can create a Samba PDC in my local office and two Samba BDCs in my remote offices. For this setup to work, the PDC will have the following "[global]" config options: domain logons = yes domain master = yes security = domain ldap suffix = dc=nesbitt,dc=local ldap admin dn = cn=manager,dc=nesbitt,dc=local ldap port = 389 ldap server 127.0.0.1 ldap ssl = no The BDCs will have these: domain logons = yes domain master = no security = domain ldap suffix = dc=nesbitt,dc=local ldap admin dn = cn=manager,dc=nesbitt,dc=local ldap port = 389 ldap server 127.0.0.1 ldap ssl = no Note: The Samba-LDAP-PDC HOWTO (IDEALX) didn't mention the "security" directive and when I built my PDC in the lab on Friday I didn't have it in there, so Samba defaulted to "security = user". If I change this as shown above, will that have an adverse impact on my setup? Each BDC will be an LDAP slave to the PDC which will be the LDAP master. This (I think) will allow each of the BDCs to authenticate the logon attempts of the local subnets and not pass the logon attempt on the PDC over the WAN lines. The LDAP database will be synced via the WAN lines to allow everyone to logon from anywhere. If I read the information presented by portion of the thread by Richard correctly, then we're not really talking about the same setup. The web link pointed out the normal Samba method of authentication is being used (i.e. smbpasswd, shadow and passwd files). But this does bring up a good point: Does Samba depend on a PDC for ALL authentication attempts? or (as I read it) Does the "domain logon" directive control whether the Samba server can or can't authenticate by itself? If I have to depend on a PDC (even with LDAP) then that does me no good. I need to keep the logon attempts on each local subnet (i.e. at the BDC) unless something is broken. Sending the request to the PDC should be a "last resort" kinda thing. Someone please straighten me out.... :-) Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. On Saturday, May 10, 2003 6:30 AM, richard wrote:> My question was simply to make you aware of possible bottle-necks in > your network design. Make sure you read Skippys doc carefully. I'm not > sure his auth "trick" still works with current samba. > > On Sat, 2003-05-10 at 19:51, Chris McKeever wrote: > > when you refer to PDC, what global attributes are you > referring to and thier > > value ??? > > > > local master ? > > domain master ? > > domain logons ? > > security ? > > > > lets get on the same page with and go from there...everyone > defines PDC > > slightly different with respect to thier overall design. > > > > from this artice: http://www.skippy.net/linux/smb-howto.html > > it mentions that his scheme falls back to user if the line > goes down. > > > > from my test with security=user domain logons=yes, I had an > entire office > > complain that they couldn''t log in one morning .. reason: > I hadn't synced > > the databases yet .. there was an NT BDC in that subnet but > for those > > machines that found the Linux bdc, it used it for the logon > authentication > > .. these are win98 machines .. tests with XP arent till next week > > > > > > > > > -----Original Message----- > > > From: richard [mailto:rcoates@bigpond.net.au] > > > Sent: Saturday, May 10, 2003 3:01 AM > > > To: Chris McKeever > > > Cc: samba@lists.samba.org > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > My question relates to your network design. With one only > pdc all your > > > logon traffic (profile stuff) will be routed across your > frame relay > > > links.( I don't believe samba can be configured as a logon > > > server if it > > > isn't a pdc.) I hope i'm wrong here? Which means the > logon traffic for > > > even a small no of users will probably saturate your wan > > > links, leading > > > to slow logon-logoff times. > > > Richard Coates. > > > > > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote: > > > > I am using ldap for user database replication.. > > > > security=user > > > > > > > > so far it seems to be working great > > > > > > > > > > > > > -----Original Message----- > > > > > From: richard [mailto:rcoates@bigpond.net.au] > > > > > Sent: Friday, May 09, 2003 5:02 AM > > > > > To: Chris McKeever > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > re your proposed network design....1 samba pdc linked to > > > samba bdcs > > > > > across wan links. > > > > > correct me if i'm wrong here, but I didn't think samba could > > > > > be a logon > > > > > server without acting as pdc also? (didn't work in my tests). > > > > > This means all your logon traffic routes across frame relay > > > > > links, which > > > > > is why we used local office pdcs. > > > > > Richard Coates. > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
> -----Original Message----- > From: Collins, Kevin [mailto:KCollins@nesbittengineering.com] > Sent: Monday, May 12, 2003 9:23 AM > To: 'samba@lists.samba.org' > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > Ok, I'm confused now..... > > Let me try to explain the way I see it and someone PLEASE > correct me if I'm > wrong. I'm in the early planning stages and now is the time to change > something if I need to. > > The way I understand it, IF I have Samba configured to use an > LDAP backend, > then I can create a Samba PDC in my local office and two > Samba BDCs in my > remote offices.perfect...works for me exactly as you define> > For this setup to work, the PDC will have the following > "[global]" config > options: > domain logons = yes > domain master = yes > security = domain > ldap suffix = dc=nesbitt,dc=local > ldap admin dn = cn=manager,dc=nesbitt,dc=local > ldap port = 389 > ldap server 127.0.0.1 > ldap ssl = no >I _think_ that you want user level for everything . this allows the server you are connecting to to authenitcate off it local userbase files...in this case LDAP I _think_ domain/server security level you then point to a password server and therefore do not keep the concept of remote authentication...but instead make it go to the PDC to authenticate. However, I am a bit unclear at all this, but I just set everything to user level> The BDCs will have these: > domain logons = yes > domain master = no > security = domain > ldap suffix = dc=nesbitt,dc=local > ldap admin dn = cn=manager,dc=nesbitt,dc=local > ldap port = 389 > ldap server 127.0.0.1 > ldap ssl = no >same as above in terms of security = user> Note: The Samba-LDAP-PDC HOWTO (IDEALX) didn't mention the "security" > directive and when I built my PDC in the lab on Friday I > didn't have it in > there, so Samba defaulted to "security = user". If I change > this as shown > above, will that have an adverse impact on my setup? > > Each BDC will be an LDAP slave to the PDC which will be the > LDAP master. >I think you are all set with your current setup> This (I think) will allow each of the BDCs to authenticate the logon > attempts of the local subnets and not pass the logon attempt > on the PDC over > the WAN lines. The LDAP database will be synced via the WAN > lines to allow > everyone to logon from anywhere. > > If I read the information presented by portion of the thread > by Richard > correctly, then we're not really talking about the same > setup. The web link > pointed out the normal Samba method of authentication is > being used (i.e. > smbpasswd, shadow and passwd files). But this does bring up > a good point: > Does Samba depend on a PDC for ALL authentication attempts? > or (as I read > it) Does the "domain logon" directive control whether the > Samba server can > or can't authenticate by itself? > > If I have to depend on a PDC (even with LDAP) then that does > me no good. I > need to keep the logon attempts on each local subnet (i.e. at the BDC) > unless something is broken. Sending the request to the PDC > should be a > "last resort" kinda thing. > > Someone please straighten me out.... :-) >security=user then everything stays local, and considering that the _BDC_ has no idea wher ethe PDC is, it can't send requests anywhere... I may be wrong, but this is working for me...> Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > On Saturday, May 10, 2003 6:30 AM, richard wrote: > > My question was simply to make you aware of possible bottle-necks in > > your network design. Make sure you read Skippys doc > carefully. I'm not > > sure his auth "trick" still works with current samba. > > > > On Sat, 2003-05-10 at 19:51, Chris McKeever wrote: > > > when you refer to PDC, what global attributes are you > > referring to and thier > > > value ??? > > > > > > local master ? > > > domain master ? > > > domain logons ? > > > security ? > > > > > > lets get on the same page with and go from there...everyone > > defines PDC > > > slightly different with respect to thier overall design. > > > > > > from this artice: http://www.skippy.net/linux/smb-howto.html > > > it mentions that his scheme falls back to user if the line > > goes down. > > > > > > from my test with security=user domain logons=yes, I had an > > entire office > > > complain that they couldn''t log in one morning .. reason: > > I hadn't synced > > > the databases yet .. there was an NT BDC in that subnet but > > for those > > > machines that found the Linux bdc, it used it for the logon > > authentication > > > .. these are win98 machines .. tests with XP arent till next week > > > > > > > > > > > > > -----Original Message----- > > > > From: richard [mailto:rcoates@bigpond.net.au] > > > > Sent: Saturday, May 10, 2003 3:01 AM > > > > To: Chris McKeever > > > > Cc: samba@lists.samba.org > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > My question relates to your network design. With one only > > pdc all your > > > > logon traffic (profile stuff) will be routed across your > > frame relay > > > > links.( I don't believe samba can be configured as a logon > > > > server if it > > > > isn't a pdc.) I hope i'm wrong here? Which means the > > logon traffic for > > > > even a small no of users will probably saturate your wan > > > > links, leading > > > > to slow logon-logoff times. > > > > Richard Coates. > > > > > > > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote: > > > > > I am using ldap for user database replication.. > > > > > security=user > > > > > > > > > > so far it seems to be working great > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: richard [mailto:rcoates@bigpond.net.au] > > > > > > Sent: Friday, May 09, 2003 5:02 AM > > > > > > To: Chris McKeever > > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > re your proposed network design....1 samba pdc linked to > > > > samba bdcs > > > > > > across wan links. > > > > > > correct me if i'm wrong here, but I didn't think > samba could > > > > > > be a logon > > > > > > server without acting as pdc also? (didn't work in > my tests). > > > > > > This means all your logon traffic routes across frame relay > > > > > > links, which > > > > > > is why we used local office pdcs. > > > > > > Richard Coates. > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Kevin I can see some flaws in your setup below..... your "Pdc" must have "security = user" be aware if you set your "bdcs" with "security = domain" then ALL auth with be referred to the "pdc". Not what you want. Remember samba2 cannot at this time be a true windows like Bdc. You are emulating certain behaviour to get what you want. Don't know if samba3 can/will? sorry I cannot help you with ldap, last time I tried it was too much trouble with conflicting docs, but others reply here announcing good success. However please ask the samba group for config guide lines...or perhaps the new docs with samba3 or Buchan Milnes site? I was in your position a while back and opted for pdcs in each site, mainly because of logon and or profile traffic across vpns. to repeat: I don't believe samba2 can be a logon server ie: domain logons = yes without also pdc config ... ie: security = user Unless samba3 can do this or i'm wrong, you may have to rethink your layout. SOMEONE PLEASE CORRECT ME IF I'M WRONG here because this is crucial to your network design and traffic across your vpns. There was discussion on samba a while back on setting up ldap as you require...read only auth on all slave samba/ldap servers, pass change only to master ldap server, slave ldap servers sync with master ldap occasionally. try samba3 docs again or search the list archives. I hope I have been some help, though many questions remain unanswered. I cc this to the list so others may jump in too. regards, Richard Coates. On Mon, 2003-05-12 at 23:38, Collins, Kevin wrote:> Ok, I'm confused now..... > > Let me try to explain the way I see it and someone PLEASE correct me if I'm > wrong. I'm in the early planning stages and now is the time to change > something if I need to. > > The way I understand it, IF I have Samba configured to use an LDAP backend, > then I can create a Samba PDC in my local office and two Samba BDCs in my > remote offices. > > For this setup to work, the PDC will have the following "[global]" config > options: > domain logons = yes > domain master = yes > security = domain > ldap suffix = dc=nesbitt,dc=local > ldap admin dn = cn=manager,dc=nesbitt,dc=local > ldap port = 389 > ldap server 127.0.0.1 > ldap ssl = no > > The BDCs will have these: > domain logons = yes > domain master = no > security = domain > ldap suffix = dc=nesbitt,dc=local > ldap admin dn = cn=manager,dc=nesbitt,dc=local > ldap port = 389 > ldap server 127.0.0.1 > ldap ssl = no > > Note: The Samba-LDAP-PDC HOWTO (IDEALX) didn't mention the "security" > directive and when I built my PDC in the lab on Friday I didn't have it in > there, so Samba defaulted to "security = user". If I change this as shown > above, will that have an adverse impact on my setup? > > Each BDC will be an LDAP slave to the PDC which will be the LDAP master. > > This (I think) will allow each of the BDCs to authenticate the logon > attempts of the local subnets and not pass the logon attempt on the PDC over > the WAN lines. The LDAP database will be synced via the WAN lines to allow > everyone to logon from anywhere. > > If I read the information presented by portion of the thread by Richard > correctly, then we're not really talking about the same setup. The web link > pointed out the normal Samba method of authentication is being used (i.e. > smbpasswd, shadow and passwd files). But this does bring up a good point: > Does Samba depend on a PDC for ALL authentication attempts? or (as I read > it) Does the "domain logon" directive control whether the Samba server can > or can't authenticate by itself? > > If I have to depend on a PDC (even with LDAP) then that does me no good. I > need to keep the logon attempts on each local subnet (i.e. at the BDC) > unless something is broken. Sending the request to the PDC should be a > "last resort" kinda thing. > > Someone please straighten me out.... :-) > > Kevin L. Collins, MCSE > Systems Manager > Nesbitt Engineering, Inc. > > On Saturday, May 10, 2003 6:30 AM, richard wrote: > > My question was simply to make you aware of possible bottle-necks in > > your network design. Make sure you read Skippys doc carefully. I'm not > > sure his auth "trick" still works with current samba. > > > > On Sat, 2003-05-10 at 19:51, Chris McKeever wrote: > > > when you refer to PDC, what global attributes are you > > referring to and thier > > > value ??? > > > > > > local master ? > > > domain master ? > > > domain logons ? > > > security ? > > > > > > lets get on the same page with and go from there...everyone > > defines PDC > > > slightly different with respect to thier overall design. > > > > > > from this artice: http://www.skippy.net/linux/smb-howto.html > > > it mentions that his scheme falls back to user if the line > > goes down. > > > > > > from my test with security=user domain logons=yes, I had an > > entire office > > > complain that they couldn''t log in one morning .. reason: > > I hadn't synced > > > the databases yet .. there was an NT BDC in that subnet but > > for those > > > machines that found the Linux bdc, it used it for the logon > > authentication > > > .. these are win98 machines .. tests with XP arent till next week > > > > > > > > > > > > > -----Original Message----- > > > > From: richard [mailto:rcoates@bigpond.net.au] > > > > Sent: Saturday, May 10, 2003 3:01 AM > > > > To: Chris McKeever > > > > Cc: samba@lists.samba.org > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > My question relates to your network design. With one only > > pdc all your > > > > logon traffic (profile stuff) will be routed across your > > frame relay > > > > links.( I don't believe samba can be configured as a logon > > > > server if it > > > > isn't a pdc.) I hope i'm wrong here? Which means the > > logon traffic for > > > > even a small no of users will probably saturate your wan > > > > links, leading > > > > to slow logon-logoff times. > > > > Richard Coates. > > > > > > > > On Fri, 2003-05-09 at 23:31, Chris McKeever wrote: > > > > > I am using ldap for user database replication.. > > > > > security=user > > > > > > > > > > so far it seems to be working great > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: richard [mailto:rcoates@bigpond.net.au] > > > > > > Sent: Friday, May 09, 2003 5:02 AM > > > > > > To: Chris McKeever > > > > > > Subject: RE: [Samba] Replacing WinNT 4 PDC with Samba PDC > > > > > > > > > > > > > > > > > > re your proposed network design....1 samba pdc linked to > > > > samba bdcs > > > > > > across wan links. > > > > > > correct me if i'm wrong here, but I didn't think samba could > > > > > > be a logon > > > > > > server without acting as pdc also? (didn't work in my tests). > > > > > > This means all your logon traffic routes across frame relay > > > > > > links, which > > > > > > is why we used local office pdcs. > > > > > > Richard Coates. > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > >
> I missed the beginning of this thread, so sorry for asking an obvious > question: Kevin, what version of Samba are you running? 3.0 or 2.2?Soren, Right now in my lab I'm using Samba 2.2.5-10 from Red Hat (in the 8.0 release). I'm hoping to put 2.2.8x in production on my new server inside of a month. I'm waiting on the hardware to begin testing that.> I've already got 2.2 set up here at my workplace, but I've been > experimenting with 3.0 and have run into some problems.I may begin looking at 3.x after I get my new system in place. I wish it was "ready for prime time", but I just don't think that any Alpha/Beta code is ready. I'll wait until it's officially released to begin thinking about that. I've heard (and believe) that Samba 3 would emulate exactly what I have now with my NT 4.0 setup, (PDCs in each office with Trusts between them), but I don't have time to wait. My File Server *needs* to be replaced now just so I can handle the load. -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc.> > -- > Soren Harward > soren@byu.edu > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >